Layer 7 DoS attacks

Unanswered Question
Jul 27th, 2011

Our vulnerability assessment has shown that we are potentially vulnerable to Layer 7 DoS attacks like slow http post (http://tinyurl.com/3l4fnjg) or slow http headers (http://tinyurl.com/lgph8j).  I'm wondering if there is anything we can do at the ASA or IPS level to alleviate these potential issues?

TCP Intercept sounds like a possibility, but not sure if it's geared more toward a true DoS attack rather than these layer 7 types?

Here is what we've been told the weaknesses are and the recommended steps to mitigate the issue, but I'm not really sure where/how to do it:

1) Allowing a server connection to stay open for an unlimited amount of time (no absolute timeout)

-Solution: Apply an absolute timeout

2) Allowing excessive/unneeded content (no max data threshold)

-Solution: Apply a max data threshold based on the form requirements

3) Allowing message content to be sent separately at extremely slow speeds (no minimum speed rate)

-Solution: Apply acceptable minimum speed rate for requests

Any help or pointers would be greatly appreciated!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mirober2 Tue, 08/02/2011 - 06:05

Hi Corey,

You can use conn limits on the ASA to some extent to help mitigate this. For example, you can apply a limit to allow clients to have only 1 or 2 HTTP conns at any time. This would only be effective if the attack came from a small number of sources. You could also apply a limit to the number of concurrent connections allowed to your web server at any time. Both of these methods would take some tuning as you need to set the limits at a level that is strict enough to prevent some of the attacks and be effective against a distributed attack, but high enough that you don't end up denying access to legitimate users as well.

You could also try setting a very low timeout for HTTP connections, but this again would be a bit of a balancing act since the attacker could dynamically adjust the rate of their requests. In addition, all of these methods are layer 4 mitigation techniques, which the attacks are specifically designed to circumvent.

All of the above would be done with the 'set connection {per-client-max|conn-max|timeout}' commands in a policy-map. See this link for more details:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns_connlimits.html#wp1080774

As for a layer 7 defense, you could satisfy technique 2 that you mentioned (setting a max data limit). You could do this with the ASA's layer 7 HTTP inspection:

class-map http-class

   match port tcp eq 80

policy-map type inspect http http-map

   parameters

    match request header content-length length gt 1000

      drop-connection log

policy-map global_policy

class http-class

  inspect http http-map

service-policy global_policy global

Other than that, it would be best to use a more dynamic detection method, such as an IPS. You may have better luck with help there over in our IPS/IDS community:

https://supportforums.cisco.com/community/netpro/security/intrusion-prevention?view=discussions

Hope that helps.

-Mike

corey@networks-... Tue, 08/02/2011 - 06:21

Thanks, Mike, I will look into those options!

scotthendrickson Thu, 09/15/2011 - 07:37

Good morning....

Our appliance scanner found the same vulnerability and we are looking for ways to both mitigate the issue.  Microber....did you implement any of the techniques listed above on your ASA.  Did thy solve the issue from the appliance standpoint??

Thanks in advance for your feedback.

Actions

Login or Register to take actions

This Discussion

Posted July 27, 2011 at 1:56 PM
Updated July 27, 2011 at 1:57 PM
Stats:
Replies:3 Overall Rating:
Views:1556 Votes:0
Shares:0
Tags: No tags.